CVE-2026-27980
Next.js: Unbounded next/image disk cache growth can exhaust storage
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).
| CWE | CWE-400 |
| Vendor | vercel |
| Product | next.js |
| Published | Mar 18, 2026 |
| Last Updated | Mar 18, 2026 |
Get instant alerts for vercel next.js
Be the first to know when new unknown vulnerabilities affecting vercel next.js are published โ delivered to Slack, Telegram or Discord.